Cybersecurity GRC Senior Manager
Cybersecurity GRC Director
- To define cybersecurity policies and procedures, develop governance framework, monitor the implementation of cybersecurity methodology, and identify cybersecurity governance tools across NEOM eco-system.
- Manage the cybersecurity awareness and training across NEOM.
- Manage the Cybersecurity KPIs across NEOM.
- Manage the cybersecurity committees, working groups, and executive reporting.
Key Accountabilities & Activities
- Review and validate cybersecurity policies and procedures ensuring alignment to leading industry standards, applicable laws, and regulations, as well as NEOM’s requirements.
- Supervise the process of developing the governance framework and operating model in line with leading practices, laws and regulations.
- Monitor the development and implementation of cybersecurity methodology highlighting roles and responsibilities in detecting and mitigating cyber threats on time.
- Define cybersecurity policies and procedures in line with laws, regulations, organizational requirements, and best practices.
- Develop and update cybersecurity governance framework based on leading practices, laws, regulations and organizational requirements.
- Develop and maintain the Unified Cybersecurity Framework, the Risk and Control Matrix, Maturity definitions, and implementation trackers.
- Establish cybersecurity governance methodology to ensure that all cybersecurity follows a consistent and repeatable manner.
- Specify the roles and responsibilities of concerned individuals in mitigating cyber threats in line with cybersecurity governance methodology.
- Support in the development of cybersecurity policies and procedures through identifying latest regulations and best practices.
- Gather information related to leading practices to support in the development of governance framework in line with regulations and organizational requirements.
- Participate in the development of cybersecurity governance methodology and suggest improvements based on best practices.
- Analyze strengths and weaknesses of existing cybersecurity tools, document results and suggest improvements.
- Define, manage and monitor cybersecurity KPIs across NEOM.
- Manage cybersecurity regular executive reporting and communication.
- Manage cybersecurity committees and working groups.
- Establish and maintain communication channels with stakeholders.
- Review existing and proposed policies with stakeholders.
- Advise on matters related to cybersecurity governance, best practices, and regulatory requirements.
- Advocate for adequate funding for cyber training resources, to include both internal and industry-provided courses, instructors, and related materials.
- Ensure that cyber workforce management policies and processes comply with legal and organizational requirements regarding equal opportunity, diversity, and fair hiring/employment practices.
- Promote awareness of cyber policy and strategy as appropriate among management and ensure sound principles are reflected in the organization's mission, vision, and goals.
- Review/Assess cyber workforce effectiveness to adjust skill and/or qualification standards.
- Interpret and apply applicable laws, statutes, and regulatory documents and integrate into cybersecurity governance.
- Analyze organizational cyber policy and establish alignment with other related policies.
- Assess policy needs and collaborate with stakeholders to develop policies to govern cyber activities.
- Define and integrate current and future mission environments.
- Design/integrate a cyber strategy that outlines the vision, mission, and goals that align with the organization's strategic plan.
- Draft, staff, and publish cyber policy.
- Monitor the rigorous application of cyber policies, principles, and practices in the delivery of planning and management services.
- Seek consensus on proposed policy changes from stakeholders.
- Provide policy guidance to cyber management, staff, and users.
- Review, conduct, or participate in audits of cyber programs and projects.
- Support in the formulation of cyber-related policies.
- Monitor daily team activities and review developed reports to identify improvements to cybersecurity governance practices at NEOM.
- Review conducted analysis to support in the identification of cybersecurity governance tools and ensure safety of systems across NEOM.
- Develop regular reports and disseminate to concerned stakeholders on time.
- Provide clear direction, prioritize tasks, assign and delegate responsibility and monitor the workflow to ensure proper governance of cybersecurity across NEOM.
- Ensure the execution of regular cybersecurity governance reviews while ensuring the inclusion and satisfaction of stakeholders feedback, and keep abreast of improvement opportunities to rectify cybersecurity governance.
- Ensure periodic collaboration with relevant governance teams for improving the governance and performance of controls.
- Lead team of cybersecurity governance professionals to design, implement and operationalize cybersecurity governance management program.
- Provide management oversight and serve as the leadership point of contact for the cyber security governance team.
- Provide leadership and engage with the business to support security assessment and ensure timely execution of projects and program while mitigating any security risks.
- Identify, recommend appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to a level acceptable to the senior management of the company.
- Work closely with internal groups such as Human Resources, Corporate Governance, IT Governance, Internal Audit, Privacy, Legal, and Compliance on matters of policy and risk management.
- Develop and improve KPI/KRIs, metrics, risk register and trending.
- Mentor, coach, and train security staff and develop their capabilities.
- Manage and improve the function according to NEOM’s strategic objectives and growth.
Background, Skills & Qualifications
Knowledge, Skills and Experience
- Knowledge of computer networking concepts and protocols, and network security methodologies.
- Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
- Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
- Knowledge of cybersecurity and privacy principles.
- Knowledge of cyber threats and vulnerabilities.
- Knowledge of specific operational impacts of cybersecurity lapses.
- Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
- Knowledge of the nature and function of the relevant information structure (e.g., National Information Infrastructure).
- Knowledge of the organization's core business/mission processes.
- Knowledge of applicable laws, statutes (e.g., NCA, CST, NDMO), Royal Decrees, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
- Knowledge of full spectrum cyber capabilities (e.g., defense, attack, exploitation).
- Knowledge of strategic theory and practice.
- Knowledge of emerging technologies that have potential for exploitation.
- Knowledge of industry indicators useful for identifying technology trends.
- Knowledge of external organizations and academic institutions with cyber focus (e.g., cyber curriculum/training and Research & Development).
- Knowledge of current and emerging cyber technologies.
- Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
- Experience leading and influencing cross-functional teams/projects.
- Demonstrated customer focus – evaluates decisions through the eyes of the customer; builds strong customer relationships and creates processes with customer viewpoint.
- Strong analytical skills – strong problem-solving skills, communicates in a clear and succinct manner and effectively evaluates information/data to make decisions; anticipates obstacles and develops plans to resolve.
- Change oriented – actively generates process improvements; supports and drives change and confronts difficult circumstances in creative ways. Self-motivated, self-directed, flexible, and able to work under pressure and in fast paced team environment.
- Demonstrated ability to lead and motivate staff and to apply skills and techniques to solve dynamic problems.
- Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.
- Skill in preparing plans and related correspondence.
- Strong problem solving, prioritization, presentation, and facilitation skills with the ability to make recommendations to all levels of the organization.
- Strong functional team player with experience working seamlessly across a matrix structure.
- Excellent interpersonal, written/verbal communication and leadership skills with the ability to make recommendations to all levels of the organization.
- Experience with project management and execution of multiple simultaneous and / or large projects.
Qualifications & Experience
- A Bachelor’s Degree in Computer Engineering, Computer Science, or equivalent is required
- Experience with various industry regulations and frameworks (ISO27001, ISO31000, IRM, SAMA, Personal Data Protection Laws, NCA, CST, NDMO, NIST, CIS etc.)
- Experience with GRC tools such as Service Now, Archer, etc.
- Experience with risk tools such as BitSight, RiskRecon, SecurityScorecard, SAFE, CORL, etc.
- Experience working in a highly regulated environment.
- Experience or understanding of complex governance including subsidiaries and Critical National Infrastructure, and GIGA Projects.
- Experience in developing cybersecurity controls, programs and frameworks.
- Strong background in security controls, auditing, network, and system security.
- Ability to express complex technical concepts in business terms.
- Organized and detail-oriented, able to work well under deadlines in a changing environment and complete multiple projects effectively and concurrently.
- Evaluate effectiveness of the internal security control framework and recommend adjustments as business needs change.
- Regularly interact with all levels of management to present and discuss control effectiveness.
- Cybersecurity Authority
- Internal Audit
- Corporate GRC
- NEOM sectors, regions, subsidiaries, and departments
- Risk Champions
- Information Security Steering Committee
- Related internal committees